malwarewikiaorg-20200223-history
SyncCrypt
SyncCrypt is a ransomware that runs on Microsoft Windows. It was discovered by xXToffeeXx. Payload Tranmission SyncCrypt is distributed by spam attachments containing WSF files. The WSF script will download images with embedded ZIP files that contain the necessary files to infect the computer with SyncCrypt. This method has also made the images undetectable by almost all antivirus vendors on VirusTotal. The WSF attachments are pretending to be court orders with file names like CourtOrder_845493809.wsf. When executed, these WSF files contain a JScript script that will download an image from one of three sites. If a user was to open one of these image URLs directly, they would just just see an image that contains the logo for Olafur Arnalds' album titled "& They Have Escaped the Weight of Darkness". Embedded in this image, though, is a zip file containing the sync.exe, readme.html, and readme.png files. These files are the core components of the SyncCrypt ransomware. After the image is downloaded to the %Temp% folder under a random named zip file, it will extract the files into the %Temp%\BackupClient. The sync file is the executed to install the ransomware. Infection Once the Sync.exe executable is extracted from the zip file, the WSF file will create a Windows scheduled task called Sync that is configured to go off 1 minute after the WSF file is executed. Once the sync.exe file is executed it will scan the computer for certain file types and encrypt them using AES encryption. The AES key used to encrypt the files will be encrypted with an embedded RSA-4096 public encryption key as saved in %Desktop%\README\key. The targeted file types are: .accdb, .accde, .accdr, .adp, .ach, .arw, .asp, .aspx, .backup, .backupdb, .bak, .bat, .bay, .bdb, .bgt, .blend, .bmp, .bpw, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .cer, .cfg, .class, .cls, .config, .contact, cpp, .craw, .crt, .crw, .css, .csv, .d3dbsp, .dbx, .dcr, .dcs, .dds, .der, .dif, .dit, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dwg, .dxb, .dxf, .edb, .eml, .eps, .fdb, .flf, .fpx, .frm, .gif, .gpg, .gry, .hbk, .hpp, .html, .hwp, .jpe, .jpeg, .jpg, .kdbx, .kdc, .key, .jar, .java, .laccdb, .latex, .ldf, .lit, .lua, .mapimail, .max, .mbx, .mdb, .mfw, .mlb, .mml, .mmw, .midi, .moneywell, .mocha, .mpp, .nef, .nml, .nrw, .oab, .odb, .odc, .odf, .odg, .odi, .odm, .odp, ods, .odt, .otg, .oth, .otp, .ots, .p12, .pas, .pab, .pbm, pcd, .pct, .pcx, .pdf, .pef, .pem, .pfx, .pgm, .php, .pict, .pntg, .potm, .potx, .ppam, .ppm, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .ppz, .prf, .psd, .ptx, .pub, .qbw, .qbx, .qpw, .raf, rtf, .safe, .sav, .save, .sda, .sdc, .sdd, .sdf, .sdp, .skp, .sql, .sqlite, .sqlite3, .sqlitedb, .stc, .std, .sti, .stm, .stw, .sxc, .sxg, .sxi, .sxm, .sxw, .tex, .txt, .tif, .tiff, .vcf, .wallet, .wb1, .wb2, .wb3, .wcm, .wdb, .wpd, .wps, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlam, .xlc, .xlk, .xlm, .xlt, .reg, .rspt, .profile, .djv, .djvu, .ms11, .ott, .pls, .png, .pst, .xltm, .xltx, .xlw, .xml, .r00, .7zip, .vhd, .aes, .ait, .apk, .arc, .asc, .asm, .asset, .awg, .back, .bkp, .brd, .bsa, .bz2, .csh, .das, .dat, .dbf, .db_journal, .ddd, .ddoc, .des, .design, .erbsql, .erf, .ffd, .fff, .fhd, .fla, .flac, .iif, .iiq, .indd, .iwi, .jnt, .kwm, .lbf, .litesql, .lzh, .lzma, .lzo, .lzx, .m2ts, .m4a, .mdf, .mid, .mny, .mpa, .mpe, .mpeg, .mpg, .mpga, .mrw, .msg, .mvb, .myd, .myi, .ndf, .nsh, .nvram, .nxl, .nyf, .obj, .ogg, .ogv, .p7b, .p7m, .p7r, .p7s, .package, .pages, .pat, .pdb, .pdd, .pfr, .pnm, .pot, .psafe3, .pspimage, .pwm, .qba, .qbb, .qbm, .qbr, .qby, .qcow, .qcow2, .ram, .rar, .ras, .rat, .raw, .rdb, .rgb, .rjs, .rtx, .rvt, .rwl, rwz, .scd, .sch, .scm, .sd2, .ser, .shar, .shw, .sid, .sit, .sitx, .skm, .smf, .snd, .spl, .srw, .ssm, .sst, .stx, .svg, .svi, .swf, .tar, .tbz, .tbz2, .tgz, .tlz, .txz, .uop, .uot, .upk, .ustar, .vbox, .vbs, .vcd, .vdi, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vor, .wab, .wad, .wav, .wax, .wbmp, .webm, .webp, .wks, .wma, .wp5, .wri, .wsc, .wvx, .xpm, .xps, .xsd, .zip, .zoo, When a file is encrypted it will have the .kk extension appended to the filename. For example, a file named test.jpg would be encrypted and renamed as test.jpg.kk. While encrypting files, SyncCrypt will skip files located in the following folders: windows\ program files (x86)\ program files\ programdata\ winnt\ \system volume information\ \desktop\readme\ \$recycle.bin\ When SyncCrypt has finished encrypting a computer, a folder called README will be present on the desktop. This folder contains the AMMOUNT.txt, key, readme.html, and readme.png files. The ammount.txt file is the ransom amount, the key is the encrypted decryption key, and the other two files are the ransom notes. SyncCrypt will then automatically open and display the readme.html ransom note in the victim's default browser. This ransom note will contain instructions to send a payment, which is 0.1001270 bitcoins or ~429 USD, to the enclosed bitcoin address. After a payment has been made the victim is told to send an email containing the key file to one of the getmyfiles@keemail.me, getmyfiles@scryptmail.com, or getmyfiles@mail2tor.com emails to get a decrypter. Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Win32 trojan Category:Trojan